msg.value should be 0 when input token is not native

[code423n4]

Handle

pauliax

Vulnerability details

Impact

function _transferFromOrWrap in Slinshot should require that msg.value is 0 when fromToken != nativeToken to prevent ETH from being accidentally sent together with some other token and be left in the contract to grab for the mempool snipers.

Recommended Mitigation Steps

require(msg.value == 0, "...");

[tommyz7]

Not a bug in my opinion, just validation, should be non-critical

[alcueca]

Zero checks are optional to the sponsor.